As they are well-known, most of host-based and network-based security systems connected to a network include a hardware-based or software-based access control list (ACL). In a process of controlling the blocking of a service attack based on the ACL, information on a packet that is detected or supposed to be an attack packet, e.g., an Internet protocol (IP) address, a port number, protocol information, and so on, is registered (or stored) in the ACL, and then, when an input packet corresponding to the attack packet is provided, a function of blocking the input packet is performed.
Herein, in registering or deleting information on a packet that is to be blocked in or from the ACL, if a user manually registers or deletes the packet information, a big problem does not occur. However, if the packet information is automatically registered or deleted, a problem may occur in determining a timing of deleting the packet information registered in the ACL.
In most of cases, if a predetermined time passes, the packet information registered in the ACL is automatically deleted, and then, if another attack packet is detected, information on the detected attack packet is registered in the ACL.
For an example, in a security system connected to a network, a threshold-based detecting/blocking scheme is usually used to block a User Datagram Protocol/Internet Control Message Protocol (UDP/ICMP) flooding attack. According to this scheme, when the UDP/ICMP flooding attack starts and thus the number of UDP/ICMP packets input to the security system increases and finally exceeds a threshold value that is preset in the security system to protect a service system, UDP/ICMP packets, which are input after the number of UDP/ICMP packets reaches the threshold value, are blocked.
At this time, in order to compare the threshold value with the number of UDP/ICMP packets, the number of UDP/ICMP packets input to the security system during a certain operating period, e.g., 1 second, is counted. As a result, if the number of UDP/ICMP packets input during the certain operating period exceeds the threshold value, UDP/ICMP packets, which are input to the security system after the number of UDP/ICMP packets reaches the threshold value, are blocked. After that, in the next operating period, the number of UDP/ICMP packets input to the security system is counted again.
After all, in the eyes of the security system, the occurrence of a situation in which the number of UDP/ICMP packets exceeds the threshold value means that most of packets input thereto are attack packets. In the eyes of the service system to be protected, it means that the service system continuously consumes service resources to process attack packets whose number is less than the threshold value every operating period.
In order to reduce the unnecessary consumption of service resources, the security system should perform an operation of reducing attack packets from a next operating period after the number of attack packets exceeds the threshold value. For this purpose, the security system registers in the ACL information on packets at a point of time in which the number of packets exceeds the threshold value, and blocks in advance packets having information that is the same as the packet information registered in the ACL. In this case, a blocking time is set to a fixed time, e.g., 10 minutes, and thus, if the blocking time passes, information on attack packets (i.e., attack packet information) that has been registered in the ACL is automatically deleted from the ACL.
If the service attack continues even after the attack packet information is deleted from the ACL, the removed attack packet information is registered in the ACL again through the above processes.
However, the conventional method of deleting the attack packet information registered in the ACL may have the following problems.                1) The damage may be caused by an attack occurring between a time of deleting the attack packet information from the ACL and a time of re-writing the attack packet information in the ACL.        2) When shortening a period of deleting the attack packet information from the ACL, the damage may increase.        3) When lengthening the period of deleting the attack packet information to avoid the above (1) and (2) problems, normal packets may be also blocked for a long time, without perfectly detecting attack packets only and registering information on the detected attack packets in the ACL.        
In particular, in case of the UDP/ICMP flooding attack, since it is not guaranteed that all packets input after the number of packets exceeds the threshold value are attack packets, the above (3) problem may be more serious.